Privacy Policy

Privacy and Data Protection Policy – Wheelers ePlatform

Wheelers ePlatform is committed to safeguarding your privacy. We will only use the information that we collect about you lawfully.

This Policy describes how we treat personal data.

Who we are Wheelers ePlatform is provided by: Wheeler’s Book Club Ltd (NZ). Our company registration number is 19128107258. Email: support@eplatform.co . We are a service provider to Schools, Colleges and Libraries.

Purpose and scope of this Policy

The Policy is designed to provide an overview of how data protection is managed in the Wheelers Group. It sets out the following:

Data protection policy and objectives

The data protection framework

Legal compliance, including the requirements of the EU General Data Protection Regulation (GDPR)

This Policy is intended for circulation to Wheeler’s customers, suppliers and other interested parties.

POLICY, OBJECTIVES AND SCOPE

Privacy Policy Statement

The Privacy Policy of Wheelers recognises, observes and protects the rights of individuals (data subjects) in regard to any of their personal data that the Wheelers Group collects, processes and stores, in accordance with all applicable legal, regulatory and contractual obligations. The Policy will be reviewed annually.

Objectives

The objectives of the Policy are to:

Communicate Wheeler’s Data Protection commitment to employees, customers and other third parties;

Summarise how Wheeler’s approach to data protection management is designed to be compliant with data protection legislation;

Summarise governance arrangements for data protection management.

Scope

The scope of the Policy covers:

All personal data collected and / or processed by Wheelers in the conduct of its business, in any format;

All products and services developed and provided by Wheelers

All Wheelers staff.

DATA PROTECTION FRAMEWORK

Wheelers as Data Controller

Wheelers acts as a data controller for the following categories of data subjects:

Employees

Former employees

Individuals who form part of our advertisement campaigns

Prospective employees

Consultants

Wheelers as Data Processor

Wheelers, and its associated companies and divisions, acts as a data processor with regard to the processing of personal data for the following categories of data subjects:

Persons who work or volunteer for organisations that buy products or services from Wheelers

Students/patrons: where Wheelers processes their data in order to provide services to the data controller (educational establishment customer or library)

Customers:

Individual consumer customers

Education Establishment customers who require Wheelers to process personal data in order to deliver the services

Suppliers

Consultants

Staff working for organisations

Wheelers enacts its obligations as a data processor with regard to:

Legal requirements

Contracts

The Terms & Conditions of its products and services

Consent

Wheelers reflects legal requirements relating to consent in the following ways:

How consent is obtained, recorded and managed in its customer-facing systems

Data retention and deletion procedures

Terms & Conditions for products and services

Individuals’ Rights

In accordance with data protection legislation, Wheelers recognises that data subjects have specific rights that must be protected and observed.

Right to be informed

Wheelers provides employees, customers and other third parties with information about how personal data is collected, processed and managed. Wheelers seeks to provide this information in language that is clear, concise and intelligible. This information is intended to be easily accessible for internal and external users.

Right of access

Wheelers provides data subjects with access to the personal data that it manages as a data controller. Data subjects for whom Wheelers is not the data controller but may process their personal data, should contact the data controller directly when requesting such access.

Right to rectification

Wheelers recognises the right of individuals to have inaccurate or incomplete data to be amended. Wheelers employees should initially make a rectification request to Wheeler’s Human Resources department. Data subjects for whom Wheelers is not the data controller, should – in the first instance – contact the data controller when making a data rectification request. Queries or complaints should be made to support@eplatform.co

Right to erasure

Wheelers recognises the right of individuals to request for their data to be deleted or removed where there is no compelling reason for its continued processing. Wheelers will, in all cases, follow any guidance provided by relevant authorites (such as the Office of the Privacy Commissioner (NZ) and the UK Independent Commissioner’s Office (ICO)) on how and when such a request should be observed.

Wheelers maintains a data retention schedule so that personal data is not retained for longer than is necessary with regard to the purpose for which the data was originally collected. This may include logging data that is temporarily retained for diagnostic purposes. However, some personal data may be required to be retained in order to observe other legal or regulatory obligations. In addition, in line with the ICO’s guidance on the constraints that exist when deleting data retained in digital back-ups, Wheelers will seek to place such back-ups beyond effective use.

Right to data portability

Where the right of portability applies, as defined by the ICO, Wheelers will provide data in a form that is structured, commonly used and in a machine readable form. In most cases, this will be the CSV format.

The implementation of such controls may vary between specific products and services.

Data Breaches

All security incidents are logged on an internal security incident management system. They are reviewed and evaluated by a member of the security management team.

A security incident that involves personal data will initially be categorised as a Potential Data Protection Incident. If it is determined that a data breach has indeed occurred, this will trigger a formal Data Breach procedure.

If a data breach relates to employee data, Wheelers will inform the relevant authority in accordance with published guidance.

If the data breach relates to customer or supplier data, Wheelers will notify the relevant data controller.

Data we receive

Logging in to the school/library lending platform is managed through a variety of authentication methods including LDAP, SAML SSO, SIP2, OpenID and FTP. In a number of these cases the school/library we are contracted with, send user/patron data that will enable this authentication to occur accurately. Any personal data that is sent, is managed by the school/library itself. The school/library is the data controller and Wheelers is the Data Processor.

The data we receive on library/school patrons may include:

- Barcode/username- Password- Year level, for restricting access of certain titles to certain age groups- Birthdate, if year level is not chosen by the school- Name, if barcode is not chosen by the school.- Email, used to notify availability of a title that has been reserved.

Legal Basis for Processing Data

The legal basis for Wheelers processing personal data varies according to the nature of the activity being undertaken:

Consent of the data subject, e.g. consent to receipt of marketing information

Necessary for the performance of a contract, e.g. storing of employee and basic student/patron data

Processing for compliance with a legal obligation, e.g. retention of some employee data

For the purposes of legitimate interests, e.g. direct marketing

Who we share information with

We share personal data with our Library customers, group companies and suppliers as necessary to run our business. For example, our parent company provides us with hosting, and helps us to fulfil loan requests.

Cookies

Cookies are small text files stored in your device’s cache by our servers. Our website sets some cookies itself to remember your choices and help the site to function.

POLICY RELEVANT TO UK (and other EU) DATA SUBJECTS

Transfer of personal data to a country outside the EEA

Wheelers is a global organisation, with its head office in New Zealand and its wholly owned development subsidiary in Malaysia. Our data and databases are hosted by Microsoft Azure.

Your personal data may be accessed by designated staff operating outside the European Economic Area ("EEA") who work for us. Such staff maybe engaged in, among other things, development work on the software/platform and the provision of support services. By submitting your personal information, you agree to Wheelers transferring, storing and processing your personal information outside the EEA.

In compliance with Chapter V of the GDPR, Wheelers has provided adequate safeguards to the transfer of personal data, with individual rights enforceable between Wheelers entities.

However, if you do not agree to this procedure you should not use our services.

Legal Compliance - Applicable Legislation

The following legislation is relevant to data protection legal compliance for UK data subjects:

Data Protection Act 1998

General Data Protection Regulation (GDPR)

Privacy and Electronic Communications Regulations (PECR) 2015

Investigatory Powers Act 2016

The Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000

Protection of Freedoms Act 2012

Personal Data

Wheelers uses the following definition of personal data.

"Personal data" means any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.

Source :GDPR, Rec.26; Art.4(1)

Data Controller

Wheelers uses the following definition for the term “data controller”:

"Controller" means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by EU or Member State laws, the controller may be designated by those laws.

Source :GDPR, Art.2(d)

Data Processor

Wheelers uses the following definition for the term “data processor”:

“A processor is responsible for processing personal data on behalf of a controller.” (ICO)

"Processor" means a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller.”

Source :GDPR, Art.2(e)

UPDATES TO THIS POLICY

Our privacy policy is regularly reviewed to make sure we continue to serve the privacy interests of our customers. We reserve the right to change and update the privacy policy and these changes will be posted this page. We encourage you to visit this page from time to time to ensure you are aware of any changes we may had made. We will tell you about major changes by email.

If you have any concerns about this privacy policy or what we do with your personal data, please contact your Data Controller (school/library).